Configuring Kubernetes Clusters
Configuring Firewall Rules
The course is part of these learning paths
This course guides you through the key steps to configure a Google Cloud Platform virtual private cloud (VPC), which allows you to connect your GCP services with one another securely.
After a brief introduction, the course begins with how to set up and configure VPCs, including VPC peering and shared VPC. You'll learn how to configure routes, set up cloud NAT (network address translation), and configure VPC-native clusters in Kubernetes, before rounding off the course by looking at VPC firewalls. The topics in this course are accompanied by demonstrations on the platform in order to show you how these concepts apply to real-world scenarios.
If you have any feedback, questions, or queries relating to this course, please feel free to contact us at email@example.com.
- Configure Google Cloud Platform VPC resources
- Configure VPC peering and API access
- Create shared VPCs
- Configure internal static and dynamic routing, as well as NAT
- Configure and maintain Google Kubernetes Engine clusters
- Configure and maintain VPC firewalls
This course is intended for:
- Individuals who want to learn more about Google Cloud networking, who may also have a background in cloud networking with other public cloud providers
- Individuals who simply want to widen their knowledge of cloud technology in general
To get the most from this course, you should already have experience in public cloud and networking as well as an understanding of GCP architecture.
Welcome to the next section of the course. Today I'm excited to talk to you about your GCP network protocols, your firewall logs, and your ingress and egress rules. So we're gonna talk about this a little bit more in depth, and the first thing I really want you to get an understanding of is from the very main VPC network screen, we're gonna be using the default network.
So I'm gonna go ahead and click on that. Once I click on that, you're gonna see all the details that you know for this network, and I'm gonna click on Firewall rules. Now, the first thing I wanna talk about in regards to firewall rules, is that you first need to be a security admin or a project owner, or a project editor from an IAM standpoint, to be able to modify, create, delete, turn off logging, any of that good stuff within GCP. So that's the first type of IAM privileges you need to have.
Second, for the purpose of this demo here, I'm also going to show you exactly how these rules work and give you an example of what happens when you turn on the logs and apply rules. But first, check out these rules that are automatically set up. These are the default rules that are set up once you create a VPC, and when this default VPC was created, we got your default-allow-icmp, internal traffic, and keep in mind this is only internal traffic within GCP.
By default, all external traffic coming in the GCP is blocked, but all outgoing traffic going out to the internet is allowed. Default-allow-rdp for your remote desktop protocol for your Windows instances, and your default-allow-ssh for your Linux boxes. Another thing to keep in mind when we're talking about protocols, as you can see, with these rules have been set up is ICMP is being used for ping, you'll see port numbers down here for the TCP 3389 for your RDP, and you know Port 22 for your secure shell. So all of those, you can configure those individually and specifically when you are creating a firewall rule.
Over to the action, it will be Allow or Deny, and then Priority, the higher the number, the lower priority it is. So all of these rules have a priority of 65,534. So what we're gonna do now is we're going go and click Add firewall rule. We're just gonna name this one firewall, and we're gonna call it firewall-web.
We're going to turn on the logs. Now, the firewall logs can generate a huge number of logs, as you can see here on the screen for the description, but it's very key that you if you need to do any type of forensics, where you want a lot of detail, you click this and you turn it on, and then here's your network, we're gonna select, we only have one.
Priority as I mentioned earlier, it goes up to 65,535, but we're gonna have the priority of this one, we're just gonna leave it at 1000. Action on match we're gonna set to Deny, the Targets, were just gonna say every instance in the network which will mean any type of resource or compute engine instance, and scrolling down the filter, we're just gonna leave it from a source IP range, and we're gonna use the entire internet. And to make this a very simple demo, we're gonna click deny everything.
Now, actually, let me back up a little bit. When we look at the specified protocols and ports, I could very easily go down here and type in, actually, for TCP, I could type in Port 22, but we're just gonna deny it all, and we're gonna hit Create, and as this rule has been finished created, you're gonna notice it's gonna go right to the top, because it has the lowest priority.
You're gonna see it's also affecting all ports and protocols and the action will be Deny. So what's gonna happen here, what we're expecting to happen is that when we attempt to connect to our Compute Engine VM instance via SSH that it's gonna get completely blocked.
So what I'm gonna do now is I'm gonna open up a new tab, and from this tab, we're gonna go back to our Compute Engine VM instance, and we're gonna click on SSH, and while this is attempting to connect, we're just gonna give it a moment here, it could be a minute here, so we'll pause the video, and just like that, you see connection failed, we're unable to connect to the VM on port 22, right? We try, it would try it again, but like I said, it could take a little while so we won't wait for it to do that, but what I am gonna do is I'mma go back to the VPC networks under default, and under Firewall rules, I'm going to click on the rule that I created, firewall-web. And at the top, you're gonna see I can click on view, to view the logs.
Now, what's great about this is it's gonna take you directly to the Stackdriver logging, and it's gonna show you the log name, all the JSON data here at the top, the network, everything you need to see in regards to this rule, and as you're gonna see right here at the time, we're gonna see that this rule was denied, trying to reach the VM named firewall, in central1-a, us-central1-a, and, yeah, that's pretty much it, down here at the bottom, you're gonna see Deny and you're gonna see the direction was Ingress for the incoming traffic. And then, last but not least, a priority, and then there's a reference.
So all the rules that we put in here are all in JSON text, then you can read it and you can export it if you need it, but hopefully, this gives you a good understanding on how network protocols, firewall logs, and your ingress/egress rules work within GCP.
About the Author
Mark has many years of experience working with Google Cloud Platform and also holds eight GCP certifications.